Cyber War: The Next Threat to National Security and What to Do About It
Page 10
As of last count, there are nearly 6.8 billion people living on the planet. On the current standard, that’s more than one address for every two people. And today, that is not enough. As the West grows more dependent on the Internet, and as the Second and Third worlds expand their use, 4.29 billion addresses cannot possibly satisfy all the possible people and devices that will want to connect to the web. That the Internet is running out of addresses on its own may be a manageable problem. If we move quickly to converting to the IPv6 address standard, by the time we run out of IPv4 addresses, in about two years, most devices should be able to operate on the new standard. But step back for a moment and a cause for concern begins to emerge.
The Pentagon envisions a near-future scenario in which every soldier on the battlefield will be a hub in a network, and as many as a dozen devices carried by that soldier will be plugged into the network and require their own addresses. If you stroll through the appliance aisle at a high-end home-goods store, you will notice that many of the washing machines, dryers, dishwashers, stoves, and refrigerators are advertising that they can be controlled through the Internet. If you are at work and want the oven to be preheated to 425 degrees when you arrive home, you could log onto a webpage, access your oven, and set it to the right temperature from your desktop.
What all this means is that as we move beyond 4.29 billion internal web addresses, the degree to which our society will be dependent on the Internet, for everything from controlling our thermostats to defending our nation, is set to explode, and with it the security problem is only going to get worse. What this could mean in a real-world conflict is something that until recently most policy makers in the Pentagon were loath to think about. It means that if you can hack into things on the Internet, you might not just be able to steal money. You might be able to cause some real damage, including damage to our military. So exactly how is it that you can hack into things, and why is that possible?
SOFTWARE AND HARDWARE
Of the three things about cyberspace that make cyber war possible, the most important may be the flaws in the software and hardware. All of those devices on the Internet we just discussed (the computer terminals and laptops, the routers and switches, the e-mail and webpage servers, the data files) are made by a large number of companies. Often, separate companies make the software that run devices. In the U.S. market, most laptops are made by Dell, HP, and Apple. (A Chinese company, Lenovo, is making a dent after having bought IBM’s laptop computer unit.) Most big routers are made by Cisco and Juniper, and now the Chinese company Huawei. Servers are made by HP, Dell, IBM, and a large number of others, depending upon their purpose. The software they run is written mainly by Microsoft, Oracle, IBM, and Apple, but also by many other companies. Although these are all U.S. corporations, the machines (and sometimes the code that runs on them) come from many places.
In The World Is Flat, Thomas Friedman traces the production of his Dell Inspiron 600m notebook from the phone order he places with a customer-service representative in India to its delivery at his front door in suburban Maryland. His computer was assembled at a factory in Penang, Malaysia. It was “co-designed” by a team of Dell engineers in Austin and notebook designers in Taiwan. Most of the hard work, the design of the motherboard, was done by the Taiwanese team. For the rest of the thirty key components, Dell used a string of different suppliers. Its Intel processor might have been made in the Philippines, Costa Rica, Malaysia, or China. Its memory might have been made in Korea by Samsung, or by lesser-known companies in Germany or Japan. Its graphic card came from one of two factories in China. The motherboard, while designed in Taiwan, could have been made at a factory there, but probably came from one of two plants in Mainland China. The keyboard came from one of three factories in China, two of them owned by Taiwanese companies. The wireless card was made either by an American-owned company in China or by a Chinese-owned company in Malaysia or in Taiwan. The hard drive was probably made by the American company Seagate at a factory in Singapore, or by Hitachi or Fujitsu in Thailand, or by Toshiba in the Philippines.
After all these parts were assembled at the factory in Malaysia, a digital image of the Windows XP operating system (and probably Windows Office) was burned onto the hard drive. The code for that software, amounting to more than 40 million lines for XP alone, was written at a dozen or more locations worldwide. After the system was imprinted with the software, the computer was packaged up, placed on a pallet with 150 similar computers, and flown on a 747 to Nashville. From there, the laptop was picked up by UPS and shipped to Friedman. All told, Friedman proudly reports that “the total supply chain for my computer, including suppliers of suppliers, involved about four hundred companies in North America, Europe, and primarily Asia.”
Why does Friedman spend six pages in a book about geopolitics documenting the supply chain for the computer he wrote the book on? Because he believes that the supply chain that built his computer knits together the countries that were part of that process in a way that makes interstate conflicts of the sort we saw in the twentieth century less likely. Friedman admits this is an update of his “Golden Arches Theory of Conflict Prevention” from his previous book, which argued that two states that both had a McDonald’s would not go to war with each other. This time, Friedman’s tongue-in-cheek argument has a little more meat to it than the hamburger theory. The supply chain is a microeconomic example of the trade that many theorists of international relations believe is so beneficial to the countries involved that even threatening war would not be worth the potential economic loss. Friedman looks at the averted crisis in 2004, when Taiwanese politicians running on a pro-independence platform were voted out of office. In his cute bumper-sticker-slogan way, Friedman observed that “Motherboards won over motherland,” concluding that the status quo economic relationship was more valuable than independence to the Taiwanese voters.
Or maybe the Taiwanese voters just didn’t want to end up dead after China invaded, which is what China more or less said it would do if Taiwan declared its independence. What Friedman sees as a force that makes conflict less likely, the supply chain for producing computers, may in fact make cyber warfare more likely, or at least make it more likely that the Chinese would win in any conflict. At any point in the supply chain that put together Friedman’s computer (or your computer, or the Apple MacBook Pro that I am writing this book on), vulnerabilities were introduced, most accidentally, but probably some intentionally, that can make it both a target and a weapon in a cyber war.
Software is used as an intermediary between human and machine, to translate the human intention to find movie times online or read a blog, into something that a machine can understand. Computers really are just evolved electronic calculators. Early computer scientists realized that timed electrical pulses could be used to represent 1’s and that the absence of a pulse could be used to represent 0’s, like long and short bursts in Morse code. The base-10 numbers that humans use, because we have ten fingers, could be translated into this binary code that a machine could understand so that when, for instance, the 5 key on an early electronic calculator was depressed, it would close circuits that would send a pulse followed by a pause followed by another pulse in quick succession to represent the 1, 0, and 1 that make up the number 5 in a binary logic system.
All computers today are just evolutions of that same basic process. A simple e-mail message is converted into electric pulses that can be carried over copper wires and fiber-optic cables and then retranslated into a message readable to a human eye. To make that happen someone needed to provide instructions that a computer could understand. Those instructions are written in programming languages as computer code, and most people who write code make mistakes. The obvious ones get fixed, or else the computer program does not function as intended; but the less-obvious ones are often left in the code and can be exploited later to gain access. As computer systems have gotten faster, computer programs have grown more complex to take advantage of all the new spee
d and power. Windows 95 had less than 10 million lines of code. Windows XP, 40 million. Windows Vista, more than 50 million. In a little over a decade, the number of lines of code has grown by a factor of five, and with it the number of coding errors. Many of those coding errors allow hackers to make the software do something it was not supposed to, like let them in.
In order to manipulate popular software to do the wrong thing, like let you assume system administrator status, hackers design small applications, “applets,” that are focused on specific software design or system configuration weaknesses and mistakes. Because computer crime is a big business, and getting ready to conduct cyber war is even well-funded, criminal hackers and cyber warriors are constantly generating new ways to trick systems. These hacker applications are called malware. On average in 2009, a new type or variant of malware was entering cyberspace every 2.2 seconds. Do the math. The three or four big antivirus software companies have sophisticated networks to look for the new malware, but they find and issue a “fix” for about one in every ten pieces of malware. The fix is a piece of software designed to block the malware. By the time the fix gets to the antivirus company’s customers, often days, and sometimes weeks, have gone by. During that time, companies, government departments, and home users are entirely vulnerable to the new malware. They won’t even know if they have been hit by it.
Frequently the malware is sitting on innocent websites, waiting for you. Let’s say you surf to the website of a Washington think tank to read their latest analysis of some important public policy issue. Think tanks are notorious for not having enough money and not giving enough attention to creating secure and safe websites. So, as you are reading about the latest machinations over health care or human rights in China, a little piece of malware is downloading itself onto your computer. You have no way of knowing, but now your new friend in Belarus is logging your every keystroke. What happens when you log into your bank account or to the Virtual Private Network of your employer, the Really Big Defense Company? You can probably guess.
The most common software error for years, and one of the easiest to explain, is something called “buffer overflow.” Code for a webpage is supposed to be written in such a way that when a user comes to that webpage, the user can only enter a certain amount of data, like a user name and password. It’s supposed to be like Twitter, a program where you can enter, say, no more than 140 characters. But if the code writer forgets to put in the symbols that limit the number of characters, then a user can put in more. Instead of just putting in a user name or password, you could enter entire lines of instruction code. Maybe you enter instructions to allow you to add an account. Think about those instructions overflowing the limited area where a public user is supposed to be able to add information and then those instructions falling into the application. The instruction code reads as if a systems administrator had entered it and—ping!—you are inside.
Software errors are not easily discovered. Even experts cannot usually visually identify coding errors or intentional vulnerabilities in a few lines of code, let alone in millions. There is now software that checks software, but it is far from able to catch all the glitches in millions of lines. Each line of that code had to be written by a computer programmer, and each additional line of code increased the number of bugs introduced into the software. In some cases, programmers actually put those bugs in intentionally. The most famous case, and one that illustrates a larger phenomenon, occurred when somebody at Microsoft dumped an entire airplane-simulation program inside the Excel 97 database software. Microsoft only discovered it when people started thanking the company for it. Programmers may do it for fun, for profit, or in the service of a competing company or foreign intelligence service; but whatever their motive, it is a nearly impossible task to ensure that a few lines of code allowing for unauthorized access through a “trapdoor” are kept out of such massive programs. The original Trojan Horse had hidden commandos; today we have hidden commands of malicious code. In the case of the Excel spreadsheet, you began by opening a new blank document, pressing F5, and when a reference box opened, you typed in “X97:L97” and pressed enter, then pressed tab. This took you to cell M97 on the spreadsheet. Then if you clicked on the chart wizard button while holding down the control and shift keys—ping!—you activated a flight-simulator program, which popped right up.
Sometimes developers of code leave behind secret trapdoors so they can get back into the code easily later on to update it. Sometimes, unknown to their company, they do it for less reputable reasons. And sometimes other people, like hackers and cyber warriors, do it so they can get into parts of a network where they are not authorized. Thus, when someone hacks into a software product under development (or later), they may not just be stealing a copy, they may be adding to it. Intentional trapdoors, as well as others that occur because of mistakes in code writing, sometimes allow a hacker to gain what is called “root.” Hackers trade or sell each other “root kits.” If you have “root access” to a software program or a network, you have all the permissions and authorities of the software’s creator or the network’s administrator. You can add software. You can add user accounts. You can do anything. And, importantly, you can erase any evidence that you were ever there. Think of that as a burglar who wipes away his fingerprints and then drags a broom behind him to the door, erasing his footprints.
Code developers may go one step further than just leaving an access point and insert a “logic bomb.” The term encompasses a spectrum of software applications, but the idea is simple. In addition to leaving behind a trapdoor in a network so you can get back in easily, without setting off alarms and without needing an account, cyber warriors often leave behind a logic bomb so they don’t have to take the time to upload it later on when they need to use it. A logic bomb in its most basic form is simply an eraser, it erases all the software on a computer, leaving it a useless hunk of metal. More advanced logic bombs could first order hardware to do something to damage itself, like ordering an electric grid to produce a surge that fries circuits in transformers, or causing an aircraft’s control surfaces to go into the dive position. Then it erases everything, including itself.
America’s national security agencies are now getting worried about logic bombs, since they seem to have found them all over our electric grid. There is a certain irony here, in that the U.S. military invented this form of warfare. One of the first logic bombs, and possibly the first incidence of cyber war, occurred before there even really was much of an Internet. In the early 1980s, the Soviet leadership gave their intelligence agency, the KGB, a shopping list of Western technologies they wanted their spies to steal for them. A KGB agent who had access to the list decided he would rather spend the rest of his days sipping wine in a Paris café than freezing in Stalingrad, so he turned the list over to the French intelligence service in exchange for a new life in France. France, which was part of the Western alliance, gave it to the U.S. Unaware that Western intelligence had the list, the KGB kept working its way down, stealing technologies from a host of foreign companies. Once the French gave the list to the CIA, President Reagan gave it the okay to help the Soviets with their technology needs, with a catch. The CIA started a massive program to ensure that the Soviets were able to steal the technologies they needed, but the CIA introduced a series of minor errors into the designs for things like stealth fighters and space weapons.
Weapons designs, however, were not at the top of the KGB’s wish list. What Russia really needed was commercial and industrial technology, particularly for its oil and gas industry. In order to get the product from the massive reserves in Siberia to Russian and Western consumers, oil and gas had to be piped over thousands of miles. Russia lacked the technology for the automated pump and valve controls crucial to managing a pipeline thousands of miles long. They tried to buy it from U.S. companies, were refused, and so set their sights on stealing it from a Canadian firm. With the complicity of our northern neighbors, the CIA inserted malicious code into t
he software of the Canadian firm. When the Russians stole the code and used it to operate their pipeline, it worked just fine, at least initially. After a while, the new control software started to malfunction. In one segment of the pipeline, the software caused the pump on one end to pump at its maximum rate and the valve at the other end to close. The pressure buildup resulted in the most massive non-nuclear explosion ever recorded, over three kilotons.
If the Cold War with Russia heats up again, or if we were to go to war with China, this time it might be our adversaries who have the upper hand in cyber war. The United States’ sophisticated arsenal of space-age weapons could be turned against us to devastating effect. Our air, land, and sea forces rely on networked technologies that are vulnerable to cyber weapons that China and other near peer adversaries have developed with the intention of eliminating our conventional superiority. The U.S. military is no more capable of operating without the Internet than Amazon.com would be. Logistics, command and control, fleet positioning, everything down to targeting, all rely on software and other Internet-related technologies. And all of it is just as insecure as your home computer, because it is all based on the same flawed underlying technologies and uses the same insecure software and hardware.
With the growth of outsourcing to countries like India and China that Friedman got so excited about, the likelihood that our peer competitors have been able to penetrate major software and hardware companies and insert such code into the software we rely on has only increased. In the world of computer science and networking, experts long thought that the two most ubiquitous operating-system codes (software that tells hardware what to do) were also the most badly written, or “buggy,” computer code. They were Microsoft’s Windows operating system for desktop and laptop computers, and Cisco’s for large Internet routers. Both systems were proprietary, meaning not publicly available. You could buy the software as a finished product, but you could not get the underlying code. There were, however, several known instances in which Microsoft’s security was compromised and the code stolen, giving the recipient the opportunity to identify the software errors and ways to exploit them.